See: Up(nil): unknown_html RIPE VG abuse at compubyte.vg 193.109.247.224 to 193.109.247.224 narod.ru htxp://knigaimen.narod.ru/
see: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fknigaimen.narod.ru%2F - site infected with malware.
Nothing here: http://urlquery.net/report.php?id=5399436
Quttera flags the following potentially suspicious code:
1001goroskop dot ru/_informer/goroskop_na_segodnja.js?
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [[‘%D0%A1%D0%B5%D0%B3%D0%BE%D0%B4%D0%BD%D1%8F%20%D0%B4%D0%B0%D0%B6%D0%B5%20%D1%81%D0%B0%D0%BC%D1%8B%D0%’]] of length 3803 which may point to obfuscation or shellcode.
Threat dump: [[="%D0%A1%D0%B5%D0%B3%D0%BE%D0%B4%D0%BD%D1%8F%20%D0%B4%D0%B0%D0%B6%D0%B5%20%D1%81%D0%B0%D0%BC%D1%8B%D0%B5%20%D0%BF%D1%80%D0%BE%D1%81%D1%82%D1%8B%D0%B5%20%D0%B2%D0%B5%D1%89%D0%B8%20%D0%BC%D0%BE%D0%B3%D1%83%D1%82%20%D0%B4%D0%B0%D0%B2%D0%B0%D1%82%D1%8C%D1%81%D1%8F%20%D0%B2%D0%B0%D0%BC%20%D1%81%20%D1%82%D1%80%D1%83%D0%B4%D0%BE%D0%BC.%20%D0%A0%D0%B0%D0%B1%D0%BE%D1%82%D0%B0%2C%20%D0%BD%D0%B5%D0%BE%D0%B1%D1%85%D0%BE%D0%B4%D0%B8%D0%BC%D0%BE%D1%81%D1%82%D1%8C%20%D0%BF%D1%80%D0%B8%D0%BD%D1%8F%D1%82%D0%B8%D]] likely a vcf document download
File size[byte]: 7815
File type: ASCII
MD5: 034C0E5B323582D7D3058B16E6BA1B27
Scan duration[sec]: 0.008000
Read what redleg comments on that malware in this thread here: https://www.badwarebusters.org/main/itemview/28889
See: http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fkniga-imen.ru%2F&ref_sel=Google&ua_sel=ff
//** NOTE: There is an attempt to clean up the line above (154:), make it easier to read. It does NOT mean the line is (or is not) malicious!
Script has malicious counter plugin that act as proxy for most of the malware families.
Detection added as Redirector.KV
Thanks Pondus for following up on this.
Then on line 147 there is also a link to (“htxps:” == p ? “htxps:” : “htxp:”) “//openstat.net/cnt.js”)
re: http://urlquery.net/report.php?id=594315 rating.openstat.ru/s/_common/b/public/GxojcT-WGAhDzppm8W6H5Q.js benign
[nothing detected] (script) rating.openstat.ru/s/_common/b/public/GxojcT-WGAhDzppm8W6H5Q.js
status: (referer=rating.openstat.ru/)saved 10166 bytes b0811c4cac82bb4fd5b5957e7402b16bd08bf6e6
info: [decodingLevel=0] found JavaScript
suspicious: tracking extensions and adblocking extensions block this…
Quttera flags as potentially suspicious (often meaning exploitable/open to abuse)
Potentially Suspicious files: 1
/s/_common/js/base_lisnUg.js
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [[‘=%26onf=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%261=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26fx=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26’]] of length 259 which may point to obfuscation or shellcode.
Threat dump:
File size[byte]: 272598
File type: ASCII
MD5: D70FD02AE30ABC4241BB51240AD2FA4B
Scan duration[sec]: 4.685000 (Sucuri give site as verified clean)